In addition, any DOM property can be associated with a privilege (user defined) as discussed in the"Configurable Security" section.
JavaScript Features Requiring PrivilegesThis section lists the JavaScript features that require expanded privilegesand the target used to access each feature. Unsigned scripts cannot useany of these features, unless the end user has enabled codebase principals.
- Using an about: URL other than about:blank requires UniversalBrowserRead.
- Using the history object to find out what other sites the user has visited, or how many other sites the user has visited in this session, requires UniversalBrowserRead.
- navigator object:
- Getting the value of a preference using the preference methodrequires UniversalPreferencesRead.
- Setting the value of a preference using the preference methodrequires UniversalPreferencesWrite.
- window object: All of the following operations require UniversalBrowserWrite.
- Adding or removing the directory bar, location bar, menu bar, personalbar, scroll bar, status bar, or toolbar.
- Using the methods in the following table under the indicated circumstances enableExternalCaptureTo capture events in pages loaded from differentservers. Follow this method with captureEvents.closeTo unconditionally close a browser window.moveBy, moveToTo move a window off of the screen.open
- To create a window smaller than 100 x 100 pixels or larger than the screencan accommodate by using innerWidth, innerHeight, outerWidth,and outerHeight.
- To place a window off screen by using screenX and screenY.
- To create a window without a title bar by using titlebar=no.
- To use alwaysRaised, alwaysLowered, or z-lockfor any setting.
- Setting the properties in the following table under the indicated circumstances: innerWidth, innerHeightTo set the inner width of a window to asize smaller than 100 x 100 or larger than the screen can accommodate.
Hints for Writing Secure JavaScriptCheck the Location of the ScriptIf you have signed scripts in pages you have posted to your site, it ispossible to copy the JAR file from your site and post it on another site.As long as the signed scripts themselves are not altered, the scripts willcontinue to operate under your signature. (See "DebuggingInvalid Signature Errors" for one exception to this rule.)If you wish to prevent this, you can force your scripts to work onlyfrom your site.if (location.href.match(/^http:\/\/www.company.com\//)) netscape.security.PrivilegeManager.enablePrivilege(...); // Do your stuffThen if the JAR file and script are copied to another site, they no longerwork. If the person who copies the script alters it to bypass the checkon the source of the script, the signature is invalidated.
Minimize the Trusted Code BaseIn security parlance, the trusted code base (TCB) is the set ofcode that has privileges to perform restricted actions. One way to improvesecurity is reduce the size of the TCB, which then gives fewer points forattack or opportunities for mistakes.For example, the following code, if executed in a signed script withthe user's approval, opens a new window containing the history of the browser:netscape.security.PrivilegeManager.enablePrivilege( "UniversalBrowserAccess");var win = window.open();for (var i=0; i < history.length; i++) win.document.writeln(history[i] + "
");win.close();The TCB in this instance is the entire script because privileges are acquiredat the beginning and never reverted. You could reduce the TCB by rewritingthe program as follows:var win = window.open();netscape.security.PrivilegeManager.enablePrivilege( "UniversalBrowserAccess");for (var i=0; i < history.length; i++) win.document.writeln(history[i] + "
");netscape.security.PrivilegeManager.revertPrivilege( "UniversalBrowserAccess");win.close();With this change, the TCB becomes only the loop containing the accessesto the history property. You could avoid the extra callto revert the privilege by introducing a function:function writeArray() netscape.security.PrivilegeManager.enablePrivilege( "UniversalBrowserAccess"); for (var i=0; i < history.length; i++) { win.document.writeln(history[i] + "
"); }var win = window.open();writeArray();win.close();The privileges are automatically reverted when writeArray returns,so you don't have to do so explicitly.
[Return to Top]International Characters in Signed ScriptsWhen used in scripts, international characters can appear in string constantsand in comments. JavaScript keywords and variables cannot include specialinternational characters.Scripts that include international characters cannot be signed becausethe process of transforming the characters to the local character set invalidatesthe signature. To work around this limitation:
- Escape the international characters ('0x\ea', and so on).
- Put the data containing the international characters in a hidden form element,and access the form element through the signed script.
- Separate signed and unsigned scripts into different layers, and use theinternational characters in the unsigned scripts.
- Remove comments that include international characters.
Here is an example of the syntax needed for signing scripts% signtool -k"Cert Name" -Z"secure.jar" secure-files/This command will create a JAR file (secure.jar) signed by "Cert Name". All the JavaScript and HTML files in the directory secure-files/ will be signed and stored in the JAR file.After SigningOnce you've signed a script, any time you change it you must resign it.For JavaScript files, this means you cannot change anything in the file. A change can be as simple as adding or removing white space in the script.For testing, use SignTool to create a test certificate (see documentation).However, end users will not be able to use the test certificate, so remember to obtain a certificate from a certificate authority in order to serve a signed script on the web.Accessing a Signed PageNew in Mozilla is the syntax needed to access signed scripts within JAR files. The syntax is as follows:jar: -scripts/secure.jar!/thepage.htmlScripts will only be treated as signed if the HTML page that containsthem is using a URL of this form.CHANGE NOTE: Browsers based on Mozilla code version 1.8.1.10 or later(e.g. Firefox 2.0.0.10) will not open files using the jar: URI scheme unlessthe server sends a Content-Type header that indicates the archiveis safe to be treated as active code. You must configure your server to sendapplication/java-archive for these files (application/x-jaris also supported).Changes to a signed script's byte stream invalidate the script's signature.This includes moving the HTML page between platforms that have differentrepresentations of text. For example, moving an HTML page from a Windowsserver to a UNIX server changes the byte stream and invalidates the signature.(This doesn't affect viewing pages from multiple platforms.) To avoid this,you can move the page in binary mode. Note that doing so changes the appearanceof the page in your text editor but not in the browser.[Return to Top]Troubleshooting Signed ScriptsException HandlingException handling is highly recommended when using signed scripts. Itallows you to deal gracefully with errors or the user choosing to deny a privilege.For example: